SAS: A Cybersecurity Framework - Six Steps to Empowering Your Analytics
Posted: 12 April 2017 | Author: Mark Dobeck | Source: SAS
In simpler times, protecting an enterprise network and its data was something like securing a medieval castle. You had a big wall surrounded by a deep moat and allowed traffic by discretion across a guarded drawbridge. At the first sign of anomalous entry, you could drop the gate, bring up the drawbridge and secure your resources within the safe perimeter.
Those days are over. The age of network openness – driven by cloud computing, bring your own device (BYOD) initiatives, the internet of things and more – makes securing a network more like securing the Everglades. Traffic flows in a multitude of channels and lagoons across a vast landscape. Pythons lurk, hidden in the grass, but where?
Organizations are making some pretty significant investments to try to secure this wildly open environment. According to the research firm Markets and Markets, by 2020 organizations will be spending $170 billion a year on security solutions alone. SANS Institute reported that financial services institutions, which feel the pressure the most, spend about 10 to 12 percent of their total enterprise IT budgets on security. And the 2016 RSA Conference showcased 125 new vendors in the security marketplace.
There’s a lot of buzz about new technologies, such as behavioral analytics, machine learning and so on. No one can say organizations are not trying or innovating.
But in spite of all this investment, the security realities are still sobering:
- More than $450 billion a year is lost to cybercrime.
- The median cost of cybercrime has doubled in the last five years.
- It costs an average of $158 per record to remediate a security breach.
- Most security breaches (59 percent) are discovered by a third party.
- It takes slightly more than 80 days on average to detect a security breach – and that’s down from hundreds of days in previous years.
These numbers tell us that we could do much better within the security industry. Massive change needs to take place.
Where traditional approaches are falling short
My colleague Stu Bradley, Vice President of Cybersecurity Solutions at SAS, joined me in a presentation at Analytics Experience 2016 on this very topic. He describes the traditional security scenario well:
“Organizations have continually tried to buy down the security challenge. By that I mean, we’ve identified a new category of threat, so I’m going to buy a technology to address that category and plug that hole in the dam. It happens again and again and again, and the end result is a series of siloed solutions that are not talking to each other.”
We poured the boiling oil over the ramparts to thwart the heathens climbing the walls, but meanwhile arrows could be shooting over our heads. And ultimately we don’t gain much forward-looking insight about where the next attack is likely to appear and in what form.
Enter SIEM – security information and event management technologies. SIEM aggregates information from all those security tools to provide a more holistic view. “These technologies have largely succeeded from an aggregation perspective,” Bradley notes. “But where they’ve fallen down is, now that we’ve aggregated all this information, how do we become more proactive, and how can we ensure that we’re using all this security data to our greatest advantage?”
This is where security analytics comes in. Bradley calls on organizations to “move up the maturity scale from ad hoc and reactive add-ons to a systematic evolution – from basic approaches using search and query, rules and digital signatures to a more sophisticated approach based on behavioral patterns and predictive analytics.”
Far more than simple aggregation, a security analytics platform can correlate and optimize network communication data, enrich it with business and security context, and prioritize intelligence for rapid consumption. Analysts can then build a complete picture – not just see that a breach occurred, but what it touched and what it did.
How to get to a more structured approach
My research at Cleveland State University’s School of Business Management led me to develop a methodology for implementing cybersecurity in a more formal and strategic way. I call it RADAR2, an acronym representing the six steps of a continuous-loop methodology:
The Readiness step is about planning and communication, spearheaded by a cybersecurity readiness team. It’s taking stock of where you are, what needs to change, and documenting policies and procedures in an enterprisewide cybersecurity risk management plan. Many organizations have a plan, but it reflects a disconnected, siloed environment, one where neither the security tools nor the people have much interaction across functional or organizational lines. On the other hand, many organizations have great policies and plans, but no documentation to support them.
The plan must be comprehensive, addressing the spectrum of data governance issues (such as regulatory compliance, legal obligations and fiduciary responsibility) and threat intelligence (such as the internal and external data that will be used, and how it will be made accessible, timely, reliable and relevant).
As with many strategic initiatives, this process requires the commitment of top-level management and involvement of leaders at all levels of the organization.
The Awareness step is about creating a culture of analytics and shared responsibility for cybersecurity. Since many breaches occur because employees slip up, it’s critical to make everyone in the organization aware of their personal role in protecting company data.
The Awareness step calls for an implementation plan, which will probably include a change management program. People are resistant to change, even positive change, so you will need to clearly communicate what is happening and back it up with education, training and ongoing support.
At the Detection step, organizations have a rich array of tools to identify security events. Traditional rules and outlier detection methods are useful to address known patterns of hacking but are not very good at addressing the sophisticated and evolving schemes we’re seeing today.
Three advanced methods are taking center stage in new security analytics products:
- Behavioral analysis identifies variances from the baseline view of network traffic and how systems should behave. These anomalies can point to unauthorized access or data leaks.
- Predictive modeling has been a game changer in the financial services industry and is beginning to be so in other areas as well. With predictive modeling, you can see the patterns or interrelationships among various data elements that together point to potential security risks.
- Machine learning takes predictive modeling to an entirely new level. Unlike rules-based systems, which are fairly easy for hackers to test and circumvent, machine learning adapts to changing patterns of network events through automated model building. With every iteration, the algorithms get smarter and deliver more accurate results. It’s easy to see the value of machine learning to keep pace with evolving cyberthreats.
Next is the Action step. When a security event calls for action, a plan is in place for how the rapid response team will:
- Assess the situation.
- Determine what corrective action and damage control measures are needed.
- Refer to the legal department for evaluation and review.
- Communicate the event internally and externally.
- Initiate an investigation, potentially with law enforcement.
The plans defined in the Action step are carried out in the Remediation phase. This step should go beyond correcting problems and issues that were identified in the Detection phase. A known cyber event should trigger a formal enterprise security audit and potentially an update or upgrade to the technology used to detect and respond to the vulnerability. Security audits should be done regularly, perhaps annually, but certainly after a problem arises.
In the Recovery step, the organization takes steps to enable normal operations to resume. This is the time to:
- Conduct (and learn from) a formal postmortem examination.
- Revise cybersecurity policies and procedures as necessary.
- Implement and test any changes.
- Communicate these actions to all stakeholders.
This six-step methodology is a continuous-loop process, where the insights gained from each incident are fed back into the start of the loop again, with updates to the enterprise cybersecurity plan and action steps.
If you remember only 4 things
1. Cybersecurity can no longer be managed in a reactive, patchwork or silo manner. When you consider the risks associated with data or network breaches – in dollars, regulatory penalties and tarnished reputation – it’s clear that cybersecurity is a strategic imperative and should be addressed at the top levels of the organization. The chief information security officer should have a seat at board meetings and a place on the agenda as a key player in the overall risk management program and long-term planning.
2.The RADAR2 methodology is an ongoing process. Periodically revisit and update the enterprise security plan as new knowledge and tools become available. Every security incident should trigger another pass through the Readiness and Awareness steps to continually fortify the offense and defense.
3. Awareness, communication and coordination are key to a cybersecurity culture. Protecting personal and company confidential data is essential to the organization, for reasons of compliance, fiduciary responsibility and protecting trade secrets. Don’t expose it to a misstep by an employee. Everybody should consider cybersecurity to be intrinsic to their job descriptions.
4. Security analytics enables data-driven decision making throughout the cycle. Advanced analytics such as behavioral analysis, predictive analytics and automated machine learning redefine the art. It won’t be like having a GPS tracking collar on every python, but you will see the signs they are afoot, and you’ll continually get better at spotting them.
How would your organization fare if it experienced one of those dreaded headline-making breaches? Most organizations underestimate their level of preparedness. It’s critical to address cybersecurity in a systematic, formal and strategic way. You don’t have to adopt the scalable, customizable RADAR2 framework, but you should adopt something like it, because nobody is immune.